Re: IIS 6 conflict using port 443 for NON-SSL traffic

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 04/11/05

  • Next message: John Smith: "How to tell if IIS lockdown Tool is installed?" 
    Date: Mon, 11 Apr 2005 14:08:14 -0700

    This is a known limitation in HTTP.SYS in Windows Server 2003 and there is
    no work-around.

    HTTP.SYS does not support re-using the same PORT with different protocols,
    nor does it support binding exclusive IP:Port combination.

    In other words, suppose you have one website with IP1:Port1:Host1 over HTTP:
    1. IP2:Port1 over SSL is not allowed
    2. IP2:Port2:Host2 over HTTP prevents IP1:Port2 or IP2:Port1 from being
    bound by another server.

    Both issues are inside of HTTP.SYS so IIS version doesn't make a difference,
    but I will see whether these issues in HTTP.SYS can be addressed in the IIS7
    timeframe. 

    -- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Richard Dixson" <reply@hereonlyplease.com> wrote in message
news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com...
Unfortunately I tried that as well without success.  I tried several ways.
The bottom line seems to be that something about port 443 is treated quite
specially by IIS 6 and it does not want to allow it to share port 443 by
non-SSL on one IP with SSL on another IP.
I am wondering if anyone else has run into this or is aware of it, and how I
may be able to work around it.
Richard
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl...
> For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting.
>
> http://support.microsoft.com/kb/813368/EN-US/
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Richard Dixson" <reply@hereonlyplease.com> wrote in message
> news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com...
> :I need IIS to respond to HTTP requests on port 443 for different IPs on
the
> : same web server, with one IP set up to handle NON ssl traffic (http://),
> and
> : the other set up with a certificate to handle SSL (https://) traffic.
> :
> : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this.  When
> you
> : try to start the non-https site it complains that it is in use.  There
is
> : definately a conflict due to IIS somehow locking port 443 exclusively
for
> : HTTPS traffic.
> :
> : Under IIS 5.0 I was able to succesfully work around this conflict by
> : disabling socket pooling.  However under IIS 6 disabling socket spooling
> : does not work.
> :
> : Here is an example of what I am trying to do: On Web Server "A" I need
to
> : configure it like this:
> :
> :  Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL
Port
> =
> : <blank>
> :
> :  Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port
=
> : 443 with installed SSL certificate
> :
> : So traffic coming in as http://x.x.x.2:443/something.htm gets responded
to
> : as regular http (non-https) traffic over port 443 for this IP.  And
> traffic
> : coming in as https://x.x.x.3/something.htm gets responded to as https
> : traffic over port 443 as usual.
> :
> : I realize it is unusual to have to pass NON https traffic over port 443,
> but
> : due to special circumstances this is a core requirement.
> :
> : If I remove virtual web site #2 than virtual site #1 works great - it
will
> : pass non-https traffic just fine over port 443, but ONLY IF there is no
> web
> : site configured on the server to use HTTPS (even if such https web sites
> are
> : configured on a different IP).
> :
> : The work around would be to set up a second dedicated web server for
> virtual
> : web site #1 so that it runs without a web site configured to really use
> : HTTPS.  Unfortunately this is not a possibility as I only have one
> physical
> : production web server I can use, and I cannot avoid having a site on
that
> : server configured to use HTTPS.
> :
> : Can anyone offer some advice or tips on how I may be able to work around
> : this?  Anyone know if IIS 7 will work the same way?
> :
> : Thank you very much in advance!
> :
> : Richard
> :
> :
>
>
  • Next message: John Smith: "How to tell if IIS lockdown Tool is installed?"

    Relevant Pages

    • Re: RWW with no https
      ... Speaking about MS IIS as a web server, in HTTP, one can run multiple ... "host headers" and run all sites on the default port 80. ... to workstations, runs on port 4125, which is dynamically opened by the SBS ... HTTP why cant you do the same with HTTPS? ...
      (microsoft.public.windows.server.sbs)
    • Re: Security of IIS - Secure Intranet web site on SBS2003 box
      ... I guess a lot of those patches would be required anyway to ensure the HTTPS ... Because if IIS via HTTPS only is still not considered secure then surely the ... > to rebuild their server and return everything to normal. ...
      (microsoft.public.windows.server.sbs)
    • Re: RWW with no https
      ... Sorry for the confusion but someone did a port scan on me and found I ... The SBS server we would like to have RWW ... work without using HTTPS but it seems this is not possible and or I ... "Yes I use Kerio for the 75GB limitation ...
      (microsoft.public.windows.server.sbs)
    • Re: Security of IIS - Secure Intranet web site on SBS2003 box
      ... IIS there was a known payload which could be used to introduce further ... Many security people take the stance 'the system has been compromised, ... HTTP vs HTTPS and/or RPC over HTTPS ... >> to rebuild their server and return everything to normal. ...
      (microsoft.public.windows.server.sbs)
    • Re: RWW with no https
      ... Change your ports for Kerio, using the instructions he provided, or get a different static IP for RWW ... Windows Small Business Server 2008 Unleashed ... running Https, I still have http open and free to use where ever. ... >> port but going to port 8080. ...
      (microsoft.public.windows.server.sbs)